November Patch Tuesday does its chores – Sophos News

Microsoft on Tuesday announced 63 patches affecting 13 product families. Four of the addressed issues are considered by Microsoft to be of Critical severity, and nine have a CVSS base score of 8.0 or higher. One is known to be under active exploit in the wild, though neither it nor any other issue addressed this month has been publicly disclosed.

At patch time, five CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation, in addition to the one already detected to be so. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below.

The slippery CVE count this month could reflect overflow from last month’s record-setting release. Two Important-severity Windows CVEs, CVE-2025-62208 and CVE-2025-62209, actually shipped in October, but were not mentioned in the information released by Microsoft at that time. For those who have already applied October’s patches, these two CVEs are already on your system, leaving just 61 patches for November. For the purposes of this post, however, we are including both of those CVEs in our November counts simply to make sure they get counted at all.

In a similar vein, five Chrome-issued patches relevant to Edge were patched earlier in the month. We have included information on those patches, along with 10 Adobe fixes related to ColdFusion and the usual Servicing Stack, in Appendix D.

We are as always including at the end of this post appendices listing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base score (Appendix B), and by product family (Appendix C). Appendix E provides a breakout of the patches affecting the various Windows Server platforms.

By the numbers

• Total CVEs: 63
• Publicly disclosed: 0
• Exploit detected: 1
• Severity
  • Critical: 4
  • Important: 59
• Impact
  • Denial of Service: 3
  • Elevation of Privilege: 29
  • Information Disclosure: 11
  • Remote Code Execution: 16
  • Security Feature Bypass: 2
  • Spoofing: 2
• CVSS Base score 9.0 or greater: 1
• CVSS Base score 8.0 or greater: 9

Figure 1: Elevation of Privilege issues continue to dominate the Patch Tuesday numbers

Products

• Windows: 38
• Office: 12
• 365: 11
• Excel: 7
• Visual Studio: 4
• Dynamics 365: 3
• Azure: 1
• Configuration Manager: 1
• Nuance PowerScribe 360: 1
• OneDrive for Android: 1
• SharePoint: 1
• SQL: 1
• Windows Subsystem for Linux: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: Just 13 product families are touched by November’s patches, and some of the omissions are striking – for instance, note that though there are four Visual Studio fixes, none of those apply to .NET. Meanwhile, 34 of this month’s 38 Windows patches apply to Windows 10, for which Microsoft “ended support” with great fanfare in October

Notable November updates

In addition to the issues discussed above, a variety of specific items merit attention.

CVE-2025-62199 — Microsoft Office Remote Code Execution Vulnerability
CVE-2025-62214 — Visual Studio Remote Code Execution Vulnerability

All four Critical-severity issues in this month’s release are judged by Microsoft to be less likely to come under active exploitation within the next 30 days. Two of them are nonetheless of interest due to their ease of exploitation – or lack thereof. The Office vulnerability, a use-after-free issue that would allow a successful attacker to run code locally, is the only one among all this month’s Office issues to have Preview Pane as an attack vector. Meanwhile, the Visual Studio issue is unusually hard to exploit; notes Microsoft, “exploitation is not trivial for this vulnerability as it requires multiple steps — prompt injection, Copilot Agent interaction, and triggering a build.” Whew.

CVE-2025-60724 — GDI+ Remote Code Execution Vulnerability

The only CVE this month to merit a CVSS Base score above 9.0, this heap-based buffer overflow issue affects both Office and Windows. Microsoft assigns this issue only an Important-level severity and deems it less likely to see active exploit within the next 30 days. Why the discrepancy? Microsoft explains that the difference lies within the multiple vectors by which this issue could be exploited: “An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile without user interaction. When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk.”

CVE-2025-30398 — Nuance PowerScribe 360 Information Disclosure Vulnerability
CVE-2025-60722 — Microsoft OneDrive for Android Elevation of Privilege Vulnerability

Two wildly dissimilar patches – one addressing a Critical-severity bug in extremely specialized medical software, one an Important-severity issue in a package with over five billion downloads so far – but they share an unusual path to resolution, as affected users have to get these updates outside the usual Microsoft patching mechanisms. Nuance users are asked to reach out to their Customer Success Manager (CSM) or Technical Support – yes, get in touch with actual humans – to obtain their updates. The other five billion of us, meanwhile, will be heading for the Google App Store to pick up our patch, though hopefully not all at the same time.

Figure 3: With one month to go in 2025, Elevation of Privilege CVEs continue to dominate the patch counts

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of November patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (29 CVEs)

Remote Code Execution (16 CVEs)

Information Disclosure (11 CVEs)

Denial of Service (3 CVEs)

Security Feature Bypass (2 CVEs)

Spoofing (2 CVEs)

Appendix B: Exploitability and CVSS

This is a list of the November CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

The CVE listed below was known to be under active exploit prior to the release of this month’s patches.

These are the November CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of November’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (38 CVEs)

Office (12 CVEs)

365 (11 CVEs)

Excel (7 CVEs)

Visual Studio (4 CVEs)

Dynamics 365 (3 CVEs)

Azure (1 CVE)

Configuration Manager (1 CVE)

Nuance PowerScribe 360 (1 CVE)

OneDrive for Android (1 CVE)

SharePoint (1 CVE)

SQL (1 CVE)

Windows Subsystem for Linux (1 CVE)

Appendix D: Advisories and Other Products

There are 5 Edge-related advisories in November’s release, all of which originated with Chrome.

This month also includes the periodic Servicing Stack updates, ADV990001.

Adobe is also releasing patches for ten ColdFusion issues today with Bulletin APSB25-105:

Appendix E: Affected Windows Server versions

This is a table of the 33 CVEs in the November release affecting Windows Server versions 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.